Looking back to the PC and mobile phone era we find ourselves in 2016 some 40 years after the PC and 30 years after the mobile phone were popularised, talking about technology, security and privacy. The change has been dramatic and I do not need to describe this change, just think back to your childhood. Without doubt ICT has changed mankind for the better and connecting people together improves lives.
But some things have not changed. In 1982 the first recognised virus, the Elk Cloner virus reared its ugly head and started a global race of cat and mouse in terms of computer attacks and computer security enhancements – yet here we are at the start of 2016 in a position where we cannot say we can secure technology.
Looking forward to 2020 and beyond the world will be a very different place. The world will be more dynamic, more vibrant and more complex. Enabled by 4 and 5G technology, the completion of most national broadband roll-outs and the common use of cloud computing and mobile computing almost everything will be connected. Man to machine; man to man; machine to machine.
Technology will underpin everything we do. As is happening now, ICT is being used to underpin every advance in modern existence. This will continue. We will shift from “there is an app for that” to “there is an API for that”. A world will be created that enables individuals and companies to connect anything to anything and create scalable solutions using global cloud platforms and advanced telecommunications networks establishing themselves as global virtual players.
In 2020 security and privacy considerations have taken on a new meaning. Whilst an uneasy truce and equilibrium may have been reached between Governments on security and privacy that is not the same as trust. Today it is hard to predict in 2020 how we have resolved the balance that is needed between national security and the protection of citizen data, locally, and when it crosses borders. Europe will have continued to take the lead in the protection of personal data and America will have continued to take the lead in the monetisation of personal data. What we can be sure of is that without the USA accepting primacy of EU data protection laws for EU citizens in Europe then fewer American companies will be offering services in Europe or American companies will have developed their “data Ambassador” schemes to ensure only EU based companies have access to their customer’s data.
But is security any better? Firstly, let me ask readers a question. Do you think you can secure what you do not understand and cannot see? Do you understand the architecture of cloud computing services connected over many international borders using technology from hundreds of companies who themselves use thousands of suppliers across many countries? Would you understand this more, or less, if much of the infrastructure was virtualised, software defined, connected using 5G technology and controlled by a device in your hand or indeed controlled by the network itself? An environment like this – which today’s environments have similar characteristics, contains thousands of products and billions of lines of computer code – just as the products and how they are used have changed, the approach to security must change.
Remember product standards are focussed at individual products, code scanning is focussed on code within a product; certification schemes are focussed on products – none of this caters for the inherent complexity of a sub-system or indeed an eco-system.
Security moves from product to supplier trust. Undoubtedly individual product security will continue to improve but I question if it can move at a pace that keeps up with the cumulative impact of innovation built on innovation in a globalised world.
So how do we address this. Security will become less of a product focus and more of a vendor and service provider focus. If you cannot have certainty over every product or component can you have greater certainty over your vendors and service providers? The answer is a very clear yes, and we need to make this happen, else you end up with the blind leading the blind and that can only end in, well, I will leave it to your own imagination.
Let us change the value of security. Imagine a scenario where a vendor or service provider did not declare, or would not show you what they did on security and privacy protection, their policies, their processes, their approach to management, product design, build and testing etc. Should you use them or trust them? Absolutely not. Use your buying power to drive focus and improvements.
Is it likely that a service provider or a product vendor will know more about the security and protection of a vendor’s product? The vendor – they designed and built it. So wise companies and advanced Governments are now taking an active role in understanding the new ICT products; understanding how they are designed, how security is being built-in and understanding any remaining risks so they can plan for a more complex technological future.
We believe as a global vendor that it is only by demonstrating what you do in detail and revealing everything you do and building close intimate relationships with customers and Governments can security be addressed at a strategic level.
Summary. The advancement of technology will not stop and given that we have not been successful at securing today’s technology, we should not plan on the future technology being secured either. Users, service providers, enterprises and Governments can shape their future security position by demanding more openness and transparency from vendors; demanding an intimate understanding of the approach they take to building security and privacy into their products and services. Based on this knowledge, buyers can then assess how seriously a vendor takes security and privacy and adapt their purchasing decisions accordingly – as the saying goes money talks.
- EncroChat: Deciphering of the End-to-End Encryption Service Used by Criminals Cybercrime
- Preserving Digital Footprints and Cyber Resilience: Training the Swiss Police Cybercrime
- Ransomware in Six Questions (by the Ministerial Delegation to the Security Industries and the Fight Against Cyberthreats, French Ministry of the Interior) Cybercrime